Common FortiClient SSL VPN errors

This is a repost of a post from an old blog, made on July 13, 2012, that used to be on:

http://wp.me/p25nt4-71

http://adminramble.com/common-forticlient-ssl-vpn-errors/

Original post:

I see from the stats that one of the posts with the most visits is the one about the FortiClient SSL VPN error “the vpn server may be unreachable. (-5)” so i decided to add another post describing some of the most common errors that may come up when connecting to FortiGate with SSL VPN.

  1. Connecting process stops at 10, error “Unable to establish the VPN connection. The VPN server may be unreachable.”

    This is most commonly caused by, either the firewall blocking any kind of traffic towards the VPN server IP address or the FortiClient application itself by the firewall on the host or on the network, or either by routing errors towards the IP address of the VPN server.
    The problem can usually be solved by adjusting the host or network firewall rules on the client side.
    Sometimes in rare cases I have found the problem is caused by error on the FortiGate device, in this case no one is able to connect to the VPN neither using SSL VPN or IPsec but the internal networks can go to all local networks and the external internet connection. In that case a simple reboot of the device solves the problem.
  2. Connecting process stops at 80, error “Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)”

    As the error states itself the most common problem is that either the username or the password isn’t matching the one of the device.
    Other problems might be:
    – the user is not in the correct user group that has VPN access (either the local firewall group or the LDAP server group if you’re using one)
    – there isn’t a corresponding firewall policy rule that allows access for the user group to any of the internal networks. You need to have the rule from the wan interface to one of the internal interfaces with action SSL-VPN and select the group of users which will have access, check if your user is in correct group.
    – you might be trying to connect to VPN from the wrong side of the interface (from one of your internal networks or from the network of one of the sites you already have a site to site connection.
    – UPDATE: Special characters are being used in the password. (See this serverfault thread)
  3. Connecting process stops at 40, error “Unable to establish the VPN connection. The VPN server may be unreachable -5”

    As you can see in one of my earlier posts “the vpn server may be unreachable. (-5)”,  the problem can sometimes be caused by some sort of VNC server on the machine.
    Other possible problems can be:
    – the firewall rules on local machine, or on the network gateway ( I have rarely found      this to be the problem with this error)
    – problems with the FortiGate device, in most of the time the device would be the problem and the problem would go away after the reboot of the FortiGate device, but would come again after the few days. In this case the problem would most of the time be with the extensive logging of the traffic and the events on the device. So try to remove  traffic logging on some of the rules or events.

1 thought on “Common FortiClient SSL VPN errors”

Leave a Reply